Cite from Paul Lesniewski e-mail: The SquirrelMail team is happy to announce the release of version 1.4.17. The most notable change is a security fix that prevents certain specially-crafted hyperlinks within messages from executing cross-site scripting attacks. For other details, see the ReleaseNotes file included in this release. We advise all users of SquirrelMail software to upgrade. --- Cite from the ReleaseNotes File: Security issue ============== An issue was fixed that allowed an attacker to send specially- crafted hyperlinks in a message that could execute cross-site scripting (XSS) when the user viewed the message in SquirrelMail. We would like to thank Secunia Research for reporting this issue to us. It is tracked as CVE-2008-2379. Reproducible: Always
1.4.17 is in CVS.
CVE-2008-2379 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2379): Cross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 allows remote attackers to inject arbitrary web script or HTML via a crafted hyperlink in an HTML part of an e-mail message.
Arches, please test and mark stable: Package: '=mail-client/squirrelmail-1.4.17' Keywords: "alpha amd64 ppc ppc64 sparc x86"
Sparc stable.
ppc64 done
ppc stable
alpha/x86 stable
amd64 stable
Thanks! Ready to vote, I vote NO.
No too, closing.